Hello,
What parametres i change ?
DC2025-SERVER
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 24%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
Spiros Boua
0
Reputation points
Hello,
I have a Domain Controller windows server 2025 24H2 that when i try to log in with domain admin credentias it says password is wrong .Due to the fact that i have another 5 DC controller in different areas i can log in with the credentials in all servers and the domains with the same password. I create a new user admin account and i log in .
I can not reset the password due to the fact that a lot of services run with the password.
Windows for business | Windows Server | User experience | Other
2 answers
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 16%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
VPHAN 37,140 Reputation points Independent Advisor2026-06-23T12:50:12.2933333+00:00 Hi Spiros Boua,
Your previous diagnosis correctly identified that this is not an Active Directory replication issue, but rather an interoperability problem driven by Windows Server 2025's strict deprecation of legacy Kerberos encryption types. This cryptography protocol mismatch explains why your newly created account, which natively uses modern AES encryption, works flawlessly while your older admin account is rejected. Because you cannot reset the password without disrupting essential services, you must force the legacy account to utilize modern encryption standards to bridge this gap. Log into the 2025 Domain Controller using your functional temporary admin account and open Active Directory Users and Computers. Enable Advanced Features from the View menu, open the properties of your problematic primary admin account, and navigate to the Attribute Editor tab. Locate the msDS-SupportedEncryptionTypes attribute and change its value to 24, which explicitly instructs the system to use robust AES-128 and AES-256 encryption. If adjusting the attribute directly is not feasible, you can open the Registry Editor on the 2025 server and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Kdc to review and adjust the Key Distribution Center parameters to temporarily accommodate the legacy authentication request. This approach updates the cryptographic handshake without altering your actual password, preserving your running services while allowing the new server to successfully authenticate your credentials.
Hope this answer has brought you some useful information. If it did, please hit “accept answer”. Should you have any questions, feel free to leave a comment.
VPHAN